You are here

Sensitive Identifiable Human Subject Research

Research that obtains or accesses individually identifiable private information about humans through interactions or interventions with the individual (known as human subject research) requires protections against unauthorized access. Private identifiable information includes medical records, education records, and any other information that an individual believes is private.

IRB Review Process

The UC Davis IRB reviews research involving human subjects to ensure (1) there are adequate protections for the study participants; and (2) the research is compliant with UC Davis standard operating procedures and applicable regulations and guidance. In some instances, the UC Davis IRB will allow an external IRB to review research conducted at UC Davis. During the review, the IRB is required to determine whether the study participants’ privacy and confidentiality are protected. The IRB will review the protocol to see if this requirement is met, so the protocol must clearly describe how the research will protect data about the participant from unauthorized access or disclosure. The level of protection required depends upon the sensitivity of the information being accessed or created during the research.

In many instances, the IRB will determine that the risk of inadvertent access or disclosure can be minimized if the protocol required data to be accessed or created in a de-identified or anonymous format.

De-identified means the data are stripped of all identifying information (names, dates relating to the individual, account numbers, phone numbers, email addresses, etc.) and coded. The code can be linked to the individual’s identity but the key to the code is usually held by a third party, often referred to as the “honest broker.”

Anonymous means the data are stripped of all identifiers and link to the participants’ identity is maintained.

If the research cannot be conducted unless the data accessed or created are identifiable, the IRB will look at the sensitivity of the data and whether the information is confidential or private.

Confidential information is secret, meaning there are laws or agreements that prohibit the information from use and/or disclosure without meeting specific requirements such as consent from the individual. See Privacy Laws below.

Private information is information that an individual does not believe would be made public such as emails, texts, other correspondence, or their location (GPS coordinates) at specific times.

If the identifiable data include information that is sensitive, confidential or private, then the IRB will require the data to be maintained in a secure manner and will require protections such as data encryption, use of authentication mechanisms such as user names and passwords, audit trails, staff training, etc. The IRB works with the Information Security Office and Privacy Officer to determine whether security measures are adequate. For more information about data security, contact [someone from information security]. Click here for more information about the IRB submission process.

Examples:

The National Institutes of Health (NIH) defines “sensitive information” as information relating to: